Schedule repository access for on-call users
On-call engineers and staff often need access to production data and other repositories, but the sensitive nature of these repositories means that each person's access grant should remain open only during their on-call rotation.
You can automate on-call access grants by linking Cyral with your on-call management system. When you do this, you'll combine authentication from your identity platform with scheduling from your on-call management system and repository access enforcement from Cyral.
- Set up on-call schedules in your on-call management system, like PagerDuty
- Connect your on-call management system to Cyral
- Set up Cyral to protect your data repository
- Connect Cyral to your SSO identity provider
Create an access rule tied to your team's on-call schedule
In the Cyral control plane UI, click Data Repos in the left navigation bar, click the name of your repository, and click the User Authentication tab.
Follow the instructions in Add an access rule, taking care to:
Click the name of the database account that your on-call users will use for connecting.
Click Add Rule.
In the SSO Group section, specify the name of the SSO group that contains your on-call team. Alternatively, you may choose SSO User and specify an SSO user name. Use the group name or user name as it's written in your identity service.
In the When is this access permitted? section, you can typically set it to Always because the on-call schedule will limit access to only the periods when the user is actively on-call.
Expand the Additional Access Restrictions section, and open the On-Call Access drop-down list. choose the name of your on-call management system integration.
Click Add Rule.
Your on-call access control setup for this repository is complete.
Check if on-call access control is enabled for any users of a repository
You can check whether on-call access control is active for any
repository by clicking the Data Repos page, clicking the name of
the repository, and clicking the User Authentication tab. For each
user and group on the repository, the Access Rules section lists
the rules. Check the Conditions column to see whether an on-call
management system has been set up to limit access. The
P icon in
the example below shows that a PagerDuty on-call schedule is in use.
How on-call users connect to a repository
An on-call user can connect to their configured repositories during their on-call rotation. Users connect as usual, using the Cyral Access Portal.
Once a user's current on-call period ends, any existing connection they have to a repository will be closed.
See also the repo connection instructions for more details on manually connecting to repositories.